Is your business ready for GDPR?
Businesses are generating data at a staggering pace. With more and more files in their possession, so the number of breaches and near misses increase.
According to digital security company Gemalto there were 974 publicly disclosed data breaches during the first half of 2016, which led to the theft or loss of 554 million data records.
Members of the public are rightly concerned about the potential risks of such a breach if a company or organisation is holding personal information about them.
GDPR (General Data Protection Regulation) is the biggest change in data privacy regulation in two decades and it affects businesses of all sizes and in every sector, including SMEs. It has been devised to protect data privacy and standardise data protection laws across Europe.
Enforced on 25 May 2018, heavy fines will be handed out – up to four percent of annual turnover – for companies that do not comply.
GDPR for SMEs in simple terms
GDPR broadens the scope of personal privacy laws to protect the data rights of EU citizens.
Individuals will have greater control over who holds data relating to them, and how it can be used.
After the legislation comes into play next year, organisations will have to report data breaches within 72 hours.
There will be more stringent rules for obtaining consent from individuals on how their data can be used.
GDPR applies to personal data that resides anywhere within an organisation. Its impact will be felt by every area of a small or medium sized business.
Some kinds of small businesses will be affected more than others by the introduction of GDPR. For example online retailers, social networking sites and other internet-based companies are amongst those that will need to do the most preparation for GDPR. Other sectors that would do well to get their houses in order well ahead of time include the financial services sector, retailers, the communications industry and healthcare.
Identification is key
Ahead of next May, every SME needs to undertake a full internal review to begin to unlock what is required.
The review needs to include:
- What types of personally identifiable information do you hold?
- Where are they located?
- What level of security is required?
- Who has access?
- How will the data be used?
- Do you have consent to use the data you hold?
GDPR is about more than just data being secure. It’s about capturing the context of data and being able to prove everything is being done to protect the subject’s data and the rights of the subject themselves.
Governance is paramount
For an SME to be truly ready for GDPR, they need to:
- Have business-wide policies in place.
- Communicate the rules in a way that all staff understand.
- Have data assets fully recorded.
- Be aware of data context
Knowing data and understanding its context allows for easy reporting
Accountability: covers the whole organisation, cross referencing those who control data.
Responsibility: data protection should be a standing agenda item for senior management and board meetings
Set up internal controls
Strong internal controls can help an SME to ensure that they do not fall foul of the new GDPR legislation:
- Records held of all data sources and locations.
- Documented authorisations and access levels within organisation.
- Revise staff hand book/policy to address what is needed.
- Allocated roles and responsibilities for everyone that touches data.
First and foremost, you need to plan for what needs to happen within business, charity or organisation to ensure future GDPR compliance.
Whatever Brexit looks like, UK enterprises that sell goods or services to other EU countries will need to comply with the new legislation. Whether England, Scotland, Wales and Northern Ireland will retain GDPR in a post-Brexit world, we don’t yet know. But the UK government has indicated that if they ditch the new rule, something similar will be established in its place.
So sitting back and doing nothing is not an option. Small businesses need to be preparing themselves for tighter data regulations right now – whether in the form of GDPR or something else.
Throughout the next couple of months Business Doctors will be running GDPR seminars, click here to view events.
More information about GDPR for SMEs
The Institute of Chartered Accountants in England & Wales (ICAEW) publish a quarterly UK Business Confidence Monitor and Q4 2019...
Find Your Purpose Your Core Purpose should come from a mix of what you love, what you are good at,...
Three resolutions that you can make to improve your business in the New Year by Planning, Formalising, and Reviewing all...